SANS Investigate Forensic Toolkit (SIFT) Workstation Version 2.14
Note: If you are having trouble downloading the SIFT Kit please contact firstname.lastname@example.org and include the URL you were given, your IP address, and if you are using a proxy of any kind.
- SANS SIFT Workstation 2.14 Overview
- Download SIFT Workstation 2.14 Locations
- SIFT Workstation 2.14 Capabilities
- SANS SIFT Workstation Cheat Sheet
- SIFT Workstation 2.14 How-Tos -
- SANS SIFT WORKSTATION Detailed Tool Listing
- SIFT Recommendations
- VMware Appliance
- Ready to tackle forensics
- Cross compatibility between Linux and Windows
- Forensic tools preconfigured
- A portable lab workstation you can now use for your investigations
- Option to install stand-alone via (.iso) or use via VMware Player/Workstation
Recommended Download: The VMware Appliance allows an investigator to clone machines for each new case that comes in.
An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS' Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
The SIFT Workstation is a VMware appliance, pre-configured with the necessary tools to perform detailed digital forensic examination in a variety of settings. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats. The brand new version has been completely rebuilt on an Ubuntu base with many new capabilities and tools such as log2timeline that provides a timeline that can be of enormous value to investigators.
SIFT 2.0 was a massive success, SIFT 2.14 will hope to again exceed expectations. As voted by you, the readers, the 2010 Toolsmith Tool of the Year was SIFT 2.0. The SANS Investigative Forensic Toolkit (SIFT) Workstation Version 2.0, as discussed in May's ISSA Journal, is a Linux distribution that is preconfigured for forensic investigations. SIFT 2.0 includes all the tools a forensic analyst/incident responder would require to conduct a thorough system investigation. I particularly favor it for memory analysis - grab a memory image from your victim system; pull it back to your SIFT VM and get down to business in no time flat
- Download VMworkstation, Player, or Fusion (www.vmware.com)
- Memory (Currently 1024K, increase to add more RAM as needed)
- CPUs (Currently 1, increase as needed for more power)
After downloading the toolkit, use the credentials below to gain access.
- Login "sansforensics"
- Password "forensics"
- $ sudo su -
- Use to elevate privileges to root while mounting disk images.
- Login "admin"
- Password "forensics"
Enable SHARED FOLDERS
- VM -> SETTINGS -> OPTIONS -> Shared Folders -> Always Enabled (Check)
- Access to Host System Found on Desktop
- Filesystem Shares \\SIFTWORKSTATION
- or use ifconfig and connect to eth0 IP Address listed (e.g. \\192.1368.1.12)
- /mnt - Mount point for read-only examination of digital forensic evidence
- /cases - Directory to store evidence
- VMware Player (Free From http://www.vmware.com)
- SANS SIFT Workstation Capabilities
Ability to securely examine raw disks, multiple file systems, evidence formats. Places strict guidelines on how evidence is examined (read-only) verifying that the evidence has not changed
- Windows (MSDOS, FAT, VFAT, NTFS)
- MAC (HFS)
- Solaris (UFS)
- Linux (EXT2/3/4)
- Expert Witness (E01)
- RAW (dd)
- Advanced Forensic Format (AFF)
- The Sleuth Kit (File system Analysis Tools)
- log2timeline (Timeline Generation Tool)
- ssdeep & md5deep (Hashing Tools)
- Foremost/Scalpel (File Carving)
- WireShark (Network Forensics)
- Vinetto (thumbs.db examination)
- Pasco (IE Web History examination)
- Rifiuti (Recycle Bin examination)
- Volatility Framework (Memory Analysis)
- DFLabs PTK (GUI Front-End for Sleuthkit)
- Autopsy (GUI Front-End for Sleuthkit)
- PyFLAG (GUI Log/Disk Examination)
- 100s more tools -> See Detailed Tool Listing
- iPhone, Blackberry, and Android Forensic Capabilities
- Registry Viewer (YARU)
- Compatibility with F-Response Tactical, Standard, and Enterprise
- PTK 2.0 (Special Release - Not Available for Download)
- Automated Timeline Generation via log2timeline
- Many Firefox Investigative Plugins
- Windows Journal Parser and Shellbags Parser (jp and sbag)
- Many Windows Analysis Utilities (prefetch, usbstor, event log, and more)
- Complete Overhaul of Regripper Plugins (added over 80 additional plugins)
Cheat Sheet and Catalog Notes: From FOR508 Advanced Computer Forensic Analysis and Incident Response course the forensic cheat sheet lists commands commonly used to perform forensics on the SIFT Workstation. Each section has a list of commands associated with executing the required action.
- How To Mount a Disk Image In Read-Only Mode
- How To Create a Filesystem and Registry Timeline
- How To Create a Super Timeline
- How To Acquire and Mount Raw, E01, AFF Disk Images
- How to use the SIFT Workstation for Basic Memory Image Analysis
SANS SIFT Workstation Detailed Tool Listing
SIFT workstation is playing an important role for the Brazilian national prosecution office, specially due to Brazilian government budgetary constraints. Its forensic capabilities are bundled on a way that allows an investigation to be conducted much faster than it would take if not having the right programs grouped on such great Linux distribution. The new version, which will be bootable, will be even more helpful. I'd highly recommend SIFT for government agencies or other companies as a first alternative, for acquisition and analysis, from the pricey forensics software available on the market.
- Marcelo Caiado, M.Sc., CISSP, GCFA, EnCE
What I like the best about SIFT is that my forensic analysis is not limited because of only being ableto run a forensic tool on a specific host operating system. With the SIFT VM Appliance, I can create snapshots to avoid cross-contamination of evidence from case to case, and easily manage system and AV updates to the host OS on my forensic workstation. Not to mention, being able to mount forensic images and share them as read-only with my host OS, where I can run other forensic tools to parse data, stream-lining the forensic examination process.
- Brad Garnett www.digitalforensicsource.com